The following is a compendium of news reports, case law and legislative actions over the latest bi-monthly period that may be of interest to our AG offices that are dealing with privacy-related issues. Neither the National Association of Attorneys General nor the National Attorneys General Training & Research Institute expresses a view as to the accuracy of news accounts, nor as to the position expounded by the authors of the hyperlinked articles.

Notable Developments

The ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483 on lawyers’ obligations after an electronic data breach or cyberattack of client data. The opinion sets forth that when a breach of protected client information is detected, the lawyer has a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations.

The FDA issued Draft Guidance on cybersecurity management for medical devices, including the suggestion that medical device manufacturers should list all the components of a medical device that could be susceptible to vulnerabilities.

The Radisson Hotel Group confirmed it had suffered a data breach that exposed the personal information of Radisson Reward members, but did not compromise credit card or password information. An investigation by the company found that the information accessed included member name, address, email address and, in some cases, Rewards number.

Canada’s new data breach reporting requirements became effective on November 1, 2018, requiring organizations to report certain breaches of security safeguards to the Office of the Privacy Commissioner and to notify those affected. The Office of the Privacy Commissioner issued guidance to help businesses comply with the new requirements.

The U.K. Information Commissioner’s Office released a report to Parliament on its investigation into the use of data analytics in political campaigns, finding a disregard for voters’ personal privacy among campaign entities and political parties.

CNIL, the French data authority, has issued guidance on the compatibility of blockchain technologies with the GDPR. The guidance seeks to provide solutions for stakeholders who wish to use blockchain as part of their data processing operations.

The U.S. District Court for the District of Arizona has been asked to approve a

settlement in which Motel 6 has agreed to pay $8.9 million to resolve claims in a class action lawsuit alleging its employees provided the personal information of several Latino guests to federal immigration officials, leading to their detainment.

An Eleventh Circuit panel affirmed the seven-year sentence of Jonathan Eubanks, a former Navarro Security road officer, for hacking into his supervisor’s computer after he was fired, deleting payroll information on the company’s server and stealing the identities of three employees. The panel found the sentence to be reasonable.

Privacy Law Initiatives in the Attorney General Community

New Jersey Attorney General Gurbir Grewal and the Division of Consumer Affairs announced a $200,000 settlement with now-defunct medical transcription company ATA Consulting d/b/a Best Medical Transcription over a security breach that allowed the public to view online more than 1,650 patient records. Investigator Aziza Salikhova worked on the case, and DAGs Carla Pereira and Elliott Siebers represented the State.

Washington Attorney General Bob Ferguson released his third annual Data Breach Report, finding an increase of 26 percent in the number of residents affected by a data breach.

Hedda Litwin is the Editor of Privacy Law Newsletter and may be reached at 202-326-6022. The Privacy Law Newsletter is a publication of the National Association of Attorneys General. Any use and/or copies of this newsletter in whole or part must include the customary bibliographic citation. NAAG retains copyright and all other intellectual property rights in the material presented in this publication. For content submissions or to contact the editor directly, please e-mail hlitwin@naag.org.